Attack code for integer underflow bug is already circulating in the wild.

Adobe has released an unscheduled update for its ubiquitous Flash media player to patch a critical vulnerability that may already be under active exploit in the wild.

The security flaw exists in Adobe Flash Player 12.0.0.43 and earlier versions for Windows and OS X and 11.2.202.335 and earlier versions for Linux, according to an advisory published Tuesday morning. The vulnerability stems from an integer underflow bug in the underlying code that could be exploited to execute arbitrary code on the affected system. Because attackers can typically trigger such vulnerabilities surreptitiously after luring victims to websites hosting attacks, Adobe rated the threat as "critical," the company's highest severity category.

"Adobe is aware of reports that an exploit for this vulnerability exists in the wild and recommends users update their product installations to the latest versions," the Adobe advisory stated. It went on to thank Alexander Polyakov and Anton Ivanov of antivirus provider Kaspersky Labs for reporting the vulnerability, which was listed as CVE-2014-0497 under the standardized common vulnerabilities and exposure disclosure system.

An Adobe spokeswoman had no further details about the in-the-wild exploit mentioned in the advisory. Frequently, such zero-day attacks are waged in highly targeted campaigns against specific individuals in a corporation or government agency. Given the risk of complete system takeover, however, all readers are advised to update their systems as soon as possible, regardless of their risk profile or the operating system they use. Updates are available here.

Promoted Comments

You should mention that users should uncheck the box to "install free McAfee Security Scan Plus" since, like Oracle, Adobe has decided to make their own security failure events into revenue generators. Yep, they make money every time they need to send out a patch. How's that for a motivation to make better software?

This may seem picky, but if Adobe has known about the threat long enough to update Flash, wouldn't it be by definition no longer be a "zero-day" exploit. As in, an exploit as being defined as being unknown to the developer?

It just seems like "zero-day" is being used a little freer than it used to. It only really makes sense in past tense in reference to the news of the exploit being discovered. As in, "the US government was taken down today by a zero-day exploit". 5 days later, "the US government fixes 5-day exploit and gets systems back online".

Unless of course they managed to learn about, patch, and update the application in a single day. But let's be realistic...

Zero-day specifically means any exploit released before a patch to fix it, before any users can become immune, not just the knowledge of workarounds. Any x days higher than that is an exploit released after the patch, presumed to be created by reverse-engineering the patch. It's the window to apply a patch, not the window of knowing about an exploit.

What, again? If only there was some mechanism for a program to automatically update itself, say if a certain option is checked. Oh well. I can dream.

Flash auto updates itself... sometimes. First user can choose to not auto update a little too easily. This should be an option buried under the settings for power users only. Then update can just stop working for no apparent reason (AKA bugs). Then Adobe has chosen, in the past don't know about 12.xx, to auto update to the next incremental build only. User needs to manually update to the next major version. And so on. All that equals spotty and unreliable end user auto update experience.

Anybody else get the feeling that somebody at Adobe is working on the inside to make sure that hackers somewhere get the info ahead of time of all vulnerabilities they can use to create zero-day exploits?

No, I'm pretty sure the hackers are 6+ months ahead of Adobe at this point. The underlying issue is that Flash (like most of Adobe's products) was poorly designed and hastily implemented. The only way we're going to stop this from happening is to ditch the whole thing entirely.

I did a google search for "download adobe flash" and the first result points to todownload.com. The whois registration is hidden so I wouldn't trust that site at all. Other sites report it as a malware distributor.

Does google take advertising money from shady companies like that? Would it really be too hard to validate who it does business with?

As entertaining as all this self-congratulation for deleting Flash/Java in these Flash/Java threads is, what's the point? Things don't suddenly stop needing flash or java. And your system doesn't suddenly magically become secure.

Edit: yes it does, according to what I can find. And so does Firefox. Seems to be something that should be mentioned in the article, no?

All versions of Adobe Flash are Sandboxed. The versions that are updated through Windows Update for IE. The Pepper version for Chrome. The stand-alone install for Firefox. The system update for OS X/Safari. They're all sandboxed and have been for several versions now.

Edit: yes it does, according to what I can find. And so does Firefox. Seems to be something that should be mentioned in the article, no?

All versions of Adobe Flash are Sandboxed. The versions that are updated through Windows Update for IE. The Pepper version for Chrome. The stand-alone install for Firefox. The system update for OS X/Safari. They're all sandboxed and have been for several versions now.

Sandboxes are in some ways much like seatbelts. They make people immeasurably safer, but they by no means guarantee people will survive. There are lots of examples of sandbox bypasses, as even a quick search on Ars will show. For instance:

Adobe is warning this exploit allows attackers to remotely execute malicious code on end users' computers. Under the circumstances, it makes little sense for readers to conclude they're safe from system takeover because Flash content is sandboxed.

As entertaining as all this self-congratulation for deleting Flash/Java in these Flash/Java threads is, what's the point? Things don't suddenly stop needing flash or java. And your system doesn't suddenly magically become secure.

It doesn't become magically secure, but it sure becomes more secure than it was before when you had a huge buggy executable that would run code from the internet.

Edit: yes it does, according to what I can find. And so does Firefox. Seems to be something that should be mentioned in the article, no?

All versions of Adobe Flash are Sandboxed. The versions that are updated through Windows Update for IE. The Pepper version for Chrome. The stand-alone install for Firefox. The system update for OS X/Safari. They're all sandboxed and have been for several versions now.

Sandboxes are in some ways much like seatbelts. They make people immeasurably safer, but they by no means guarantee people will survive. There are lots of examples of sandbox bypasses, as even a quick search on Ars will show. For instance:

Adobe is warning this exploit allows attackers to remotely execute malicious code on end users' computers. Under the circumstances, it makes little sense for readers to conclude they're safe from system takeover because Flash content is sandboxed.

Oh, I know Sandboxes aren't a panacea to solve all exploit problems. I wasn't trying to say (or imply - though I guess it does sound like it) that because it was Sandboxed that Flash isn't vulnerable to this particular exploit. I was merely stating/confirming that all current versions of Adobe Flash are sandboxed; at least for the browsers available on Windows and OS X. I don't know if any version of Flash for Linux is Sandboxed except for Chrome's Pepper Flash.

This may seem picky, but if Adobe has known about the threat long enough to update Flash, wouldn't it be by definition no longer be a "zero-day" exploit. As in, an exploit as being defined as being unknown to the developer?

It just seems like "zero-day" is being used a little freer than it used to. It only really makes sense in past tense in reference to the news of the exploit being discovered. As in, "the US government was taken down today by a zero-day exploit". 5 days later, "the US government fixes 5-day exploit and gets systems back online".

Unless of course they managed to learn about, patch, and update the application in a single day. But let's be realistic...

I did a google search for "download adobe flash" and the first result points to todownload.com. The whois registration is hidden so I wouldn't trust that site at all. Other sites report it as a malware distributor.

I always use http://www.adobe.com/products/flashplay ... tion3.html . I wish Adobe made this link more prominent. Plus, the exes I've downloaded from here don't auto-destruct when run -- convenient for installing over multiple machines at home. And, it doesn't prompt me to install McAfee/Chrome/other drive-by downloads.

You should mention that users should uncheck the box to "install free McAfee Security Scan Plus" since, like Oracle, Adobe has decided to make their own security failure events into revenue generators. Yep, they make money every time they need to send out a patch. How's that for a motivation to make better software?

Ugh, another Flash update. I normally keep this ghastly plugin disabled on my system until I encounter a site that absolutely requires it.

The worst kind of sites are the ones like IGN which will only serve Flash for videos normally, but will happily serve up HTML5 if you fake the useragent to be a mobile device. Give me the HTML5 video by default and fall back to Flash already!!

What, again? If only there was some mechanism for a program to automatically update itself, say if a certain option is checked. Oh well. I can dream.

In my experience, Adobe Flash has never updated itself properly. On every Windows system I have (despite having checked the auto-update option), Flash will only inform me that it needs to update itself when I log in to the desktop after rebooting the machine for unrelated reasons.

This may seem picky, but if Adobe has known about the threat long enough to update Flash, wouldn't it be by definition no longer be a "zero-day" exploit. As in, an exploit as being defined as being unknown to the developer?

It just seems like "zero-day" is being used a little freer than it used to. It only really makes sense in past tense in reference to the news of the exploit being discovered. As in, "the US government was taken down today by a zero-day exploit". 5 days later, "the US government fixes 5-day exploit and gets systems back online".

Unless of course they managed to learn about, patch, and update the application in a single day. But let's be realistic...

Zero-day specifically means any exploit released before a patch to fix it, before any users can become immune, not just the knowledge of workarounds. Any x days higher than that is an exploit released after the patch, presumed to be created by reverse-engineering the patch. It's the window to apply a patch, not the window of knowing about an exploit.

Just a quick update from The Real World: My Win8.1 was patched on 4/2 at 19:12 (KB2929825). Should I be happy? Well, maybe. it's great Microsoft is in control of Adobe - since Adobe is not. Now we await Java ...

As long as Adobe wants me to type my Mac's admin password to update or install it, it isn't going on my machine. There is nothing they need to do that shouldn't be possible without elevated permissions—in fact, buggy, network connected, commonly exploited software like Flash is exactly what separate admin permissions are supposed to protect against.